I've gotten a few attempts in recent weeks, most recently on October 3rd. My log is usually about 10-20K per day, but October 3rd's was 60K.
I found this in the log:
---------- 17:15:31 1 SMTP-207([218.70.9.3]) SPAM? Host is in the Blacklist 17:15:32 3 SMTP-207(dfasfd-vojmlg22) Failed to verify. Real address is [218.70.9.3:2741] 17:15:36 0 SYSTEM Account {webmaster} Resources open failed. Error Code=-43 17:15:36 1 SMTP {webmaster} AUTH failed: password(webmaster) is wrong. Connection from [218.70.9.3:2741] 17:15:41 0 SYSTEM Account {webmaster} Resources open failed. Error Code=-43 17:15:41 1 SMTP {webmaster} AUTH failed: password(webmaster12) is wrong. Connection from [218.70.9.3:2741] 17:15:43 0 SYSTEM Account {webmaster} Resources open failed. Error Code=-43 17:15:43 1 SMTP {webmaster} AUTH failed: password(webmaster123) is wrong. Connection from [218.70.9.3:2741] 17:15:45 0 SYSTEM Account {webmaster} Resources open failed. Error Code=-43 ----------
And so on, until it finally stopped at 17:23:57. They try many basic account names, and many fairly simple passwords for each.
Every time I've seen this crap in my logs, it has come from an IP in China, so there's probably not much point in complaining to the ISP's abuse@ address.
Sadly, that is true. Even sadder, the guilty party is likely to be sitting within 20 miles of me. The infamous Alan Ralsky, who before his prison term worked in insurance fraud in Illinois and now spams out of the Detroit suburbs by way of China, has been a pioneer in this attack. Fortunately, this seems to be at last a chance to get the feds to nail him. Abusing trivially open relays and proxies can be argued to not be criminal because they are services which are left open, but password cracking is something even the 10-watt folks at the FBI can understand to be an intentional violation.
Starting with the October 3rd penetration attempt, I now create a rule in IPNetSentry that denies all traffic from the attacking IP's enclosing netblock.
A wise move.
In fact, I advise anyone who does not have active correspondence with China to block SMTP access at the packet level from the entire country. It is a tragic problem, but there really isn't enough of a trickle of legitimate mail coming out to justify digging through the flood of sewage, and the corrupt/incompetent network operators there almost uniformly do nothing to stop it.
-- Bill Cole [EMAIL PROTECTED]
############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
